Critical Adobe Flaw Fixed in Out-of-Band Security Update

Adobe has released an out-of-band patch for a critical vulnerability in its Creative Cloud Desktop Application for Windows. The flaw can be exploited by an attacker to delete specific arbitrary files on the victim’s system.

Creative Cloud acts as a central console for desktop users to quickly launch, manage and update their Adobe apps, such as Photoshop, Acrobat, Illustrator and more. Specifically affected is the Creative Cloud desktop application version 5.0 and earlier; Adobe has made the necessary fixes in version 5.1 of the application.

“Successful exploitation could lead to arbitrary file deletion in the context of the current user,” said Adobe, in a Tuesday post. “Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin.”

The flaw (CVE-2020-3808) stems from a time-of-check to time-of-use (TOCTOU) race condition. A race condition occurs when two or more system operations can access shared data, and they try to change it at the same time. This specific type of race condition involves the checking of the state of a part of a system (such as a security credential) and the use of the results of that check being done at the same time.

If exploited, the flaw could enable arbitrary file deletion, allowing an attacker to delete certain critical files. However, further details about the attack — such as whether an attacker would need to be local or remote, or whether they would need to be authenticated — were not detailed by Adobe. Threatpost has reached out for further clarification.

The security upgrade is a “priority 2” update. According to Adobe, that means that it resolves vulnerabilities in a product that has historically been at elevated risk – but that there are currently no known exploits.

“Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days),” according to Adobe.

It’s the second out-of-band update for Adobe in March. Last week Adobe disclosed an update addressing critical vulnerabilities in its Photoshop and Acrobat Reader products, which if exploited could allow arbitrary code-execution. Overall, Adobe last week patched flaws tied to 41 CVEs across its products, 29 of which were critical in severity. The fixes were released outside of Adobe’s regularly scheduled update day, which was earlier in March (during which Adobe had no patches).

Adobe credited Jiadong Lu of South China University of Technology and Zhiniang Peng of Qihoo 360 Core Security (@edwardzpeng) for finding the flaw.